The Cabinet of Ministers has adopted a resolution that creates a legal framework for conducting a Bug Bounty with the participation of ethical hackers. This concerns the search for vulnerabilities in state IT systems, including those belonging to critical infrastructure, processing state information resources and information with restricted access.
The Cabinet of Ministers has adopted a resolution that creates a legal framework for conducting a Bug Bounty with the participation of ethical hackers. This concerns the search for vulnerabilities in state IT systems, including those belonging to critical infrastructure, processing state information resources and information with restricted access.
The resolution establishes clear rules for interaction between the state and the community of cybersecurity specialists, the State Service for Special Communications reports .
From now on, the search for vulnerabilities will be carried out in three main directions:
The resolution also amends Order No. 497, legalizing Bug Bounty programs on a permanent basis and introducing a mechanism for coordinated vulnerability disclosure.
The basis for cooperation within the Bug Bounty procedure is a public offer in which the system owner or program organizer clearly defines all the conditions:
Researchers participating in such a program are required to strictly adhere to certain conditions, including simultaneously notifying not only the system owner, but also the national CERT-UA response team or the relevant CSIRT about the vulnerability found.
The coordinated vulnerability disclosure mechanism allows any researcher, even without participating in the Bug Bounty program, to legally and responsibly report a discovered security "hole".
The procedure gives the researcher the right to search for vulnerabilities, provided that he does not interfere with the system or exploit the vulnerability. At the same time, it establishes a clear obligation: if a vulnerability is discovered, the researcher must immediately, no later than 24 hours, notify the system owner and CERT-UA (or CSIRT).
In this process, the national response team CERT-UA acts as the national coordinator, analyzing the information received, distributing it through secure channels, and coordinating further actions to eliminate the threat.
"The adoption of the resolution moves interaction with "white hackers" from the "gray zone" into a legal field that complies with best global practices (in particular, ENISA recommendations). This creates an additional layer of protection, allowing vulnerabilities to be identified before attackers find them," the department notes.
